Explore a comprehensive analysis of purpose-driven threat hunting in this conference talk from Derbycon 7. Delve into the problems associated with generic hunt processes and discover the benefits of hypothesis-driven hunting. Learn how to focus data collection efforts, set specific goals for hunt teams, and eliminate analysis paralysis. Examine the MITRE Cyber Attack Lifecycle and understand how to identify tactics, techniques, and procedures. Gain insights on determining collection requirements, defining scope, and documenting excluded factors. Investigate specific examples such as Pass the Ticket attacks and credential theft. Acquire practical knowledge on enumerating logon sessions and detecting Silver Ticket attacks. Access valuable resources to enhance your threat hunting capabilities and stay ahead of evolving cyber threats.
Overview
Syllabus
Intro
Problems with the Generic Hunt Process
Hypothesis driven hunting benefits Focuses data collection efforts - Provides a specific goal for the hunt team • Helps eliminate analysis paralysis
MITRE Cyber Attack Lifecycle
Procedures - In the detailed information of each technique specific examples or threats are included as available Not all procedures represented, large and growing set of data
Identify the Tactie & Technique
Identify Collection Requirements
Identify the Scope - Two factors for scope
Document Excluded Factors . What things were you unable to include in the hypothesis at each
Identify the Procedures - Technique. Pass the Ticket
Collection Requirements - Interact w/ Mimikatz to see effect on tickets Collect relevant data points
Collection Requirements -Enumerate Logon Sessions
Identify the Scope - Our Timeframe
Document Exeluded Factors - Credential Theft Attacks
Future Developments - Silver Ticket Detection
Resources
